CPU high usage, reconciliation triggered by ConfigMap

[crazymushrooms]

Is there an existing issue for this?

• I have searched the existing issues

What happened?

With the upgrade to prometheus-operator v0.85.0 we face the drastically increased CPU usage of prometheus-operator.

Using metric prometheus_operator_triggered_total{triggered_by="ConfigMap"} We observe that ConfigMap objects obviously trigger the reconciliation in "alertmanager" and "prometheus"
We have about 30 ConfigMap objects in the release namespace however only a couple of them are related to the prometheus-operator. However according to the "prometheus_operator_triggered_total{triggered_by="ConfigMap"}" the number of triggering ConfigMaps is also about 30.

The attribute watch_referenced_objects_in_all_namespaces is not set (default: false).

The operator is deployed with the following parameters:

    - --kubelet-service=kube-system/kube-prometheus-stack-kubelet
    - --kubelet-endpoints=true
    - --kubelet-endpointslice=false
    - --log-format=json
    - --log-level=info
    - --namespaces=ops,kube-system
    - --localhost=127.0.0.1
    - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.85.0
    - --config-reloader-cpu-request=5m
    - --config-reloader-cpu-limit=0
    - --config-reloader-memory-request=50Mi
    - --config-reloader-memory-limit=150Mi
    - --alertmanager-instance-namespaces=foo
    - --alertmanager-config-namespaces=foo
    - --prometheus-instance-namespaces=foo
    - --thanos-default-base-image=quay.io/thanos/thanos:v0.39.2
    - --thanos-ruler-instance-namespaces=foo
    - --secret-field-selector=type!=kubernetes.io/dockercfg,type!=kubernetes.io/service-account-token,type!=helm.sh/release.v1
    - --web.enable-tls=true
    - --web.cert-file=/cert/cert
    - --web.key-file=/cert/key
    - --web.listen-address=:10250
    - --web.tls-min-version=VersionTLS13

For now the watched Secret objects can be filtered with secretFieldSelector, as referenced here

prometheus-operator/pkg/alertmanager/operator.go

Line 246 in 1752e81

options.FieldSelector = config.SecretListWatchFieldSelector.String()

However there is no such option for the ConfigMaps.
It seems that all the ConfigMap objects in the namespace are watched.

If there is additional configuration we should apply and have overseen by now in order to filter the ConfigMaps objects - it would be great to get help here.

Steps to Reproduce

• deploy prometheus-operator in a version < 0.85.0
• deploy ConfigMaps in the release namespace
• upgrade prometheus-operator to the version v0.85.0

Expected Result

• reasonable variations in the CPU usage

Actual Result

• drastic increase in the CPU usage (~2m -> ~100m)

Prometheus Operator Version

0.85.0

Kubernetes Version

v1.31.11

Kubernetes Cluster Type

EKS

How did you deploy Prometheus-Operator?

helm chart:prometheus-community/kube-prometheus-stack

Manifests

prometheus-operator log output

no meaningful logs for this issue

Anything else?

No response

[heliapb]

Hi @crazymushrooms I think the issue might be related to this change #7615 /cc @simonpasquier, although I still might need to reproduce.

But yes atm there is not such option for configmap selector, might be a good thing we can improve upon.

[simonpasquier]

Thanks for the detailed report! Indeed, #7615 is probably the culprit, sorry about that.

Could you run the operator with the debug log level and share a snippet?

[crazymushrooms]

You are welcome.
Sorry for late feedback.
I tried to collect the debug logs without revealing much project information, hopefully it is somehow useful.

logs-prometheus-operator-2025-09-08.txt

[simonpasquier]

thanks for the logs! I have taken a look but I'd like a bigger timespan because right now it only covers the operator startup time which wasn't enough for me to understand why the operator enters a hop loop of reconciliations. If you're worried about sharing them publicly, feel free to email me at pasquier.simon (at) gmail.com.